Cellular Phone File - #1
written, created and tested
by Count Zero
{CHiNA}
This simple (?) mod has been tested on the:
UNIDEN CS-1000/1200 Series Cellular
MPPS Red 12/13 (Pretty much same as above model)
and has proven effective for over four months running. However, (yes, here
comes the big disclaimer...)
----------------------------------------------------------------------------
D I S C L A I M E R
CHiNA and its members claim no responsibility for irresponsible
use of the information and designs contained herein. This file is being
presented on a "for knowledge's sake" basis to the members of the modemming
community at large. Any use of this file except for educational and
operational efficiency purposes is hereby forbidden.
So there!
The Conflict * Maxwell Smart * Count Zero * Monalisa Overdrive * The Viper
& Rubiks the Cube
----------------------------------------------------------------------------
What this mod does is prevent a correct unit identification code (called UIC
from here on) from being transmitted. The messages sent to and from the
local transmittal stations should be surpisingly familiar to any one of our
readers.
But here's the mod and a bit of theory that I used to discover it.
(1) Your individual UID is "burned into" a simple 8x8 EPROM that may
be erased and "re-written" to accomodate a new code. This may be
difficult, and in fact IS difficult because you will have a lot of
trouble finding where it begins and ends.
(2) The contact sequence when you first power up the unit (which usually
goes on while the handset's "NO SERVC" or "SVC UNAVAIL" is lit) goes
like this:
YOU A0 A0 A0 A0 A0 A0 A0 A0
IT ACK or NAK (up to a max of 4 times)
YOU 12 3A + UID
IT 12 3A + UID
YOU ACK or NAK
IT 00 00 00 or FF FF FF
(Available / Not Available)
The best route to handle this is to FORCE your system to ACK when asked
if a false code is its code.
The following should outline the procedure:
You will need:
* A Temperature-Controlled Soldering Iron
* Rosin-Core Solder
* Solder wick (for you slobs)
* Pair of Diag-Cutters (or wire-cutters)
* About 15 minutes of time.
Step 1 - Unplug the unit and allow to sit for at least a half hour to allow
all capacitors to become completely discharged. Also, as a
precaution, "discharge" yourself on a common ground (no woolly
socks, ok?) Remove cover from "handset" portion (yes, the one with
the keypad)
Step 2 - Locate the indicated EPROM should have a serial number that begins
with an "IA" prefix and will be noted on the circuit board as
"IC4" or "IC5". Given this knowledge and the following picture:
+5v -!-------!- GND
-! IA... !- RST
-! !-
+1.5v -! !-
IC4 D1 -! !- D5
D2 -! !- D6
D3 -! !- D7
D4 -!-------!- D8
...you should be able to find it.
Step 3 - Cut the D1 pin and pull completely back from the motherboard at
a 90 deg angle. This will not interfere with your system messages
but will disable any "odd number" from being sent! Thus your code
alone will come out false.
Step 4 - Locate the following components:
R14 - Resistor #14 1.5 ohm
Cut and jumper with solder and small gauge wire
R15 - Resistor #15 3.5 ohm
Cut and replace with 1.5 ohm from previous step
C22 - Capacitor #22
Cut and leave out!
Now make sure you have no "cold" joints and all soldered points are secure!
If you are going to screw up at any point in the procedure, this will be it.
Make sure to double-check your work! I don't want anyone weeping to me
because their handset if now fused to their right ear!
Step 5 - (explanation of Step 4)
This step "forces" the system to send an ACK (by routing the NAK
trigger through ACK output) and thus verifying the bogus code.
Step 6 - Reassemble handset.
Just a hint, do NOT go overboard on your calls as these calls are not free,
they are just being billed to another person's code (if it is a legit code)
Again, re-read the disclaimer.
Step 7 - Operate the unit normally.
TROUBLESHOOTING:
Problem Solution
* NO POWER Be sure all power leads were reconnected
correctly when you put the handset back
together.
* STILL GETTING CHARGED FOR Cut the correct pin from the IC!
CALLS If still getting charged, cut D2 as
well though this may be risky.
* CALLS "CAN'T BE COMPLETED" Recheck mods made in Step #4.
AS DIALED or SYSTEM
UNAVAILABLE
Well, this should get you started. A few notes before I go:
Thanks to The Conflict (for the inspiration), Maxwell Smart (for that "Smart"
report on Operation Wolf), Monalisa Overdrive (for letting me call him
repeatedly while testing this mod out!), Lord Blix (for the cracking help when
I needed it), The Viper (because he wants to be thanked)
Call on of our CHiNA nodes today for the latest in "knowledgable" text files
unlike other groups...
OVER AND OUT ---------> COUNT ZER0 !
+- Shamelessly Leeched from The Mudd Club -+
Press a key...